Using hidden fields in php – Dr. Balvinder Taneja

In PHP, hidden fields in HTML forms are used to pass data from one page to another without displaying it to the user. These fields are particularly useful for storing information that needs to persist across multiple form submissions or pages, such as user IDs, form states, or tokens for verification.

Here’s a guide on how to use hidden fields in PHP effectively:

1. Creating a Hidden Field in HTML

A hidden field is created using an <input> element with type=”hidden”. It’s part of the form, but it won’t be visible to users on the page.

In this example:

The hidden field named user_id stores the value 12345.
When the form is submitted, this value will be included in the form data sent to next_page.php.

2. Accessing Hidden Field Data in PHP

Hidden field data can be accessed just like other form data, using the $_POST or $_GET superglobals, depending on the form’s method attribute.

// next_page.php if ($_SERVER[“REQUEST_METHOD”] == “POST”) { $user_id = $_POST[‘user_id’]; // Access the hidden field value $username = $_POST[‘username’]; echo “User ID: ” . $user_id . “<br>”; echo “Username: ” . $username; }

3. Using Hidden Fields for Session Management

Hidden fields are sometimes used to pass session-related data across pages, though PHP’s $_SESSION is a more secure way to handle session management. However, hidden fields can be helpful in cases where you cannot use sessions or cookies.

Example: Passing a User ID Between Pages

Here, $user_id is assigned in PHP and securely displayed as a hidden value. htmlspecialchars() is used to prevent XSS attacks.

4. Security Considerations with Hidden Fields

Hidden fields are not secure for sensitive data because users can view and modify them by inspecting the HTML. Therefore:

Avoid storing sensitive information (like passwords) in hidden fields.
Validate and sanitize hidden field data on the server side before using it.
Use hidden fields with server-side checks (such as session checks) to confirm the authenticity of the data.

Example: Verifying a Hidden Token

// verify.php session_start(); if ($_POST[‘form_token’] == $_SESSION[‘form_token’]) { // Process the form if the token is valid echo “Form submitted successfully.”; } else { echo “Invalid form submission.”; }

Here, a hidden token is used to verify form authenticity. The server checks the token to prevent CSRF (Cross-Site Request Forgery) attacks.

5. Passing Data Between Pages with Hidden Fields

Hidden fields are particularly useful when you need to maintain data across form steps in a multi-step form.

Example: Multi-Step Form with Hidden Fields

Step 1 (step1.php):

<form action=”step2.php” method=”POST”> <label>Enter Name:</label> <input type=”text” name=”name”> <input type=”submit” value=”Next”> </form>

Step 2 (step2.php):

<?php $name = $_POST[‘name’]; ?> <form action=”final_step.php” method=”POST”> <input type=”hidden” name=”name” value=”<?php echo htmlspecialchars($name); ?>”> <label>Enter Age:</label> <input type=”text” name=”age”> <input type=”submit” value=”Submit”> </form>

Final Step (final_step.php):

$name = $_POST[‘name’]; $age = $_POST[‘age’]; echo “Name: ” . $name . “<br>”; echo “Age: ” . $age;

This setup allows data from step1.php to be carried forward to step2.php and then to final_step.php.

Summary

Hidden fields in PHP:

Enable passing of data from one page to the next in a form submission.
Should be validated and sanitized since they’re accessible to users.
Are useful for multi-step forms and preserving non-sensitive data without sessions or cookies.
Not ideal for sensitive data; use session variables for that.